AFAIK you can use the API w/o any auth for non security related access aka read only und non-sensitiv. To access the sensitive info and to edit something (e.g. disable filtering) you need to use the API key. But there is only one API key.
In case of a security breach you need to reset the key and alter all of the places where it was used. You cannot easy tell which instance was compromised or which instance went nuts via the API key.
The following changes will enhance this:
- multiple API keys
- detailed rights management for API keys (access to specific commands: deny, to, rw)
- option to disable public API access